Comment on Senator Warren calls out Apple for shutting down Beeper's 'iMessage to Android' solution
whofearsthenight@lemm.ee 11 months agoWhile it’s not mostly about security, and I generally agree that Apple’s dickitry with regard to iMessage should end (they’d be doing a solid in the US to just release an Android client and monetize via sticker packs or something like it) there is most certainly a security risk for Apple to allow a reverse-engineering of their spec to spoof real iPhones, which is how Beeper works.:
pypush is a POC demo of my recent iMessage reverse-engineering. It can currently register as a new device on an Apple ID, set up encryption keys, and send and receive iMessages!
Now, your quote and the others in this thread:
Beeper didn’t find a security hole, nothing was compromised for Apple.
They sure as fuck did, lol. iMessage isn’t public, it’s not intended to be used by anyone other than Apple, and the bandwidth and servers are not free. Its not as if every iMessage isn’t going through Apple’s servers, they’re paying for it. Though they didn’t find a technical hole like a zero day or compromise iMessage for customers, they absolutely found a security concern for Apple. If you walk in to your house, find your neighbor there grabbing a couple of eggs out of the fridge and they hand wave away and say “don’t worry I didn’t break a window, I just figured out you keep a spare key under the mat and also I’m going to use these to make cookies for the block party and I’m not going to charge a lot for them and only you have these eggs from your chicken you’re hogging them!” you’d kick them out in a hurry and probably call the cops.
So two things:
- We can absolutely be mad at Apple for the lock in effect of iMessage, there were some leaked emails a while ago that confirm what we all know, this is just there to prevent buying your kid a cheap android phone. Personally, I think if Apple was serious about keeping their customers secure, they’d either release an Android client or better, just make sure that the minimum spec for RCS supports E2EE for wide adoption. They can still have a more robust platform with iMessage, and it’s still going to integrate with Apple shit in a way that only they could do.
- Anyone, anywhere, who thought that this was a viable business for Beeper has lost their fucking minds. Their model was basically “trust me bro, we’re going to socially pressure Apple and that’s going to totally work” and while it sounds like they’re back up for now, it will be extremely surprising if it stays that way longer than another week or two. It would be akin to someone launching a business being like “well, we didn’t hack Microsoft/Google/Facebook, but we’re planning on hosting a bajillion users on their backend for free without their approval.”